At work we emit X.509 certificates from several internal certificate authorities. When you play with internal CA you must update the trusted store of your system or your application in order to get valid interactions.
On Linux you may add bundles to the system trust store with the help of
update-ca-certificates. Your internal CA will be thus trusted by tools like
wget or even PHP applications.
However some stacks ignore the system trust store and use their own, like Java
and Node.js. For the latter, starting with
7.3.0, you can add extra CA with
the environment variable
Cool but it appears that Insomnia —a REST client— and more generally every Electron app ignore this variable, at best1. And you end with that thing:
As you can see, the workaround proposed by the application is to simply disable SSL validation. What a brilliant idea.
While wandering between tabs and swearing I saw something interesting in the Timeline tab:
The good news is that Insomnia uses
curl to make requests, the bad news is
that they decided to override the default behavior of
curl (using the system
trust store) with an embedded trust store which is copied into
After a quick check, it appears that x is the version number and y the
trust store bundle name which is provided in
Now we need to override this file with the system store. If you use systemd
on your device you can use
systemd-tmpfiles to achieve that.
Let's create a file
/usr/lib/tmpfiles.d/insomnia.conf with the following content:
L+ /tmp/insomnia_5.16.6/2017-09-20.pem - - - - /etc/ssl/certs/ca-certificates.crt
- In this example, I took the references for Insomnia 5.16.6. You should adapt regarding to your version.
systemdto remove the target file if it already exists
systemd-tmpfileswill execute this file at each boot
Delete the folder
/tmp/insomnia_* before rebooting or executing the following
command. If you miss this step, the folder will still be writable by Insomnia.
If you want to execute this file without rebooting, type the following command:
systemd-tmpfiles --create /usr/lib/tmpfiles.d/insomnia.conf
As the file used by Insomnia is now a symlink to the system trust store, it will validate all requests against it, enabling you to have correct validation with custom CA.
I experienced segfaults while playing with this variable ↩